squid.conf.mas

1. <%doc>
2. Main configuration file for Squid daemon
3.  
4. Parameters:
5.  
6. snmpEnabled - Boolean indicating if SNMP is enabled or not
7. </%doc>
8. <%args>
9. $port
10. $transparent => undef
11. $https => undef
12. $filter
13.  
14. $hostfqdn
15. $auth
16. $principal
17. $realm
18. $dn
19.  
20. @rules
21. %filterProfiles
22.  
23. $authModeExternalAD => undef
24. $adPrincipal => undef
25. $adDC => undef
26. $adAclTTL => 3600
27. </%args>
28. <%shared>
29. our $objectPrefix = 'obj~';
30. our $groupPrefix = 'grp~';
31. our $adPrefix = 'ad~';
32. our $timeDaysPrefix = 'timeDays~';
33. our $timeHoursPrefix = 'timeHours~';
34. our $maxAclNameLength = 31;
35. our %longAclNames = ();
36. </%shared>
37. <%perl>
38. sub _timeAclsInPolicy
39. {
40. my ($policy) = @_;
41. my $acls = '';
42. if ($policy->{timeDays}) {
43. $acls = _aclForDays($policy->{timeDays});
44. $acls .= ' ';
45. }
46. if ($policy->{timeHours}) {
47. $acls .= _aclForHours($policy->{timeHours});
48. }
49.  
50. return $acls;
51. }
52.  
53. sub _aclForHours
54. {
55. my ($hours) = @_;
56. return _aclName($timeHoursPrefix . $hours);
57. }
58.  
59. sub _aclForDays
60. {
61. my ($days) = @_;
62. return _aclName($timeDaysPrefix . $days);
63. }
64.  
65. # needed because space scape doesnt work in acl names
66. sub _escapeWS
67. {
68. my ($string) = @_;
69. $string =~ s{\s}{~~}g;
70. return $string;
71. }
72. # needed to avoid log acl problems
73. sub _aclName
74. {
75. my ($name) = @_;
76. if (length($name) <= $maxAclNameLength) {
77. return _escapeWS($name);
78. }
79.  
80. if (not exists $longAclNames{$name}) {
81. my $nextId = 1 + keys %longAclNames;
82. $nextId = 'longAcl~' . $nextId;
83. $longAclNames{$name} = $nextId;
84. }
85.  
86. return _escapeWS($longAclNames{$name});
87. }
88.  
89. sub _printSplitAcl
90. {
91. my ($acl, $members_r, $membersPerLine) = @_;
92. $membersPerLine or $membersPerLine = 10;
93. my @members = @{ $members_r };
94. while (@members > 0) {
95. my @membersInAcl = splice(@members, 0, $membersPerLine);
96. $m->print("$acl @membersInAcl\n")
97. }
98. }
99.  
100. sub _rulesACLs
101. {
102. my %args = @_;
103. my @rules = @{ $args{rules} };
104. my $realm = $args{realm};
105. my %seenACL;
106.  
107. foreach my $rule (@rules) {
108. my $object = $rule->{object};
109. my $group = $rule->{group};
110. my $adDN = $rule->{adDN};
111. my ($src, $aclName);
112. if ($rule->{any}) {
113. # for any object rule, there is not specific acl
114. } elsif ($object) {
115. $src = $object;
116. $aclName = $objectPrefix . $object;
117. } elsif ($group) {
118. $src = $group;
119. $aclName = $groupPrefix . $group;
120. } elsif ($adDN) {
121. $src = $adDN;
122. $aclName = $adPrefix . $adDN;
123. } else {
124. next;
125. }
126.  
127. if ($aclName) {
128. $aclName = _aclName($aclName);
129. if ($seenACL{$aclName}) {
130. # dont print again the ACL, but we cotinue to be able to get time ACLs
131. # which will be different bztime overlapping ACLs are not allowed
132. } elsif ($object) {
133. my $acl = "acl $aclName src";
134. _printSplitAcl($acl, $rule->{addresses});
135. } elsif ($group) {
136. # escape user names
137. my @users = map { $_ =~ s{ }{\\ }g; $_ } @{$rule->{users}};
138. if ($realm) {
139. @users = map { $_ . '@' . $realm } @users;
140. }
141. my $acl = "acl $aclName proxy_auth";
142. _printSplitAcl($acl, \@users);
143. } elsif ($adDN) {
144. my $acl = "acl $aclName external InetGroup";
145. _printSplitAcl($acl, [ $adDN ]);
146. } else {
147. next;
148. }
149. $seenACL{$aclName} = 1;
150. }
151.  
152. if ($rule->{timeDays}) {
153. my $aclName = _aclForDays($rule->{timeDays});
154. if (not $seenACL{$aclName}) {
155. $m->print("acl $aclName time " . $rule->{timeDays} . "\n");
156. $seenACL{$aclName}= 1;
157. }
158. }
159. if ($rule->{timeHours}) {
160. my $aclName = _aclForHours($rule->{timeHours});
161. if (not $seenACL{$aclName}) {
162. $m->print("acl $aclName time " . $rule->{timeHours} . "\n");
163. $seenACL{$aclName} = 1;
164. }
165. }
166. }
167. }
168. </%perl>
169.  
170.  
171. <%def .rulesAccess>
172. <%args>
173. @rules
174. %profilesRulesStubs
175. </%args>
176. % foreach my $rule (@rules) {
177. <%perl>
178. my $aclName;
179. my $object = $rule->{'object'};
180. if ($rule->{any}) {
181. $aclName = 'all';
182. } elsif ($object) {
183. $aclName = $objectPrefix . $object;
184. }
185.  
186. my $group = $rule->{'group'};
187. if ($group) {
188. $aclName = $groupPrefix . $group;
189. }
190.  
191. my $adDN = $rule->{adDN};
192. if ($adDN) {
193. $aclName = $adPrefix . $adDN;
194. }
195.  
196. my $acl = _aclName($aclName);
197.  
198. my $timeAcls = _timeAclsInPolicy($rule);
199. my $policy = $rule->{'policy'};
200. if ($policy eq 'profile') {
201. my $rulesStubs = $profilesRulesStubs{$rule->{profile}};
202. if (not $rulesStubs) {
203. # need to allow, to be able to pass it to DG
204. $policy = 'allow';
205. } else {
206. # expand rules stubs
207. my $baseAcls = "$timeAcls $acl ";
208. foreach my $stub (@{$rulesStubs }) {
209. my $ruleStr = $stub->{type};
210. $ruleStr .= ' ' . $stub->{policy};
211. $ruleStr .= ' ' . $baseAcls . _aclName($stub->{acl});
212. $ruleStr .= "\n";
213. # output the rule
214. $m->print($ruleStr);
215. }
216. # dont produce normal rules in this case
217. next;
218. }
219. }
220. </%perl>
221. http_access <% $policy %> <% $timeAcls %> <% $acl %>
222. % }
223. </%def>
224.  
225. % #################################################################################################
226. % my $transKey = '';
227. % if ($transparent) {
228. % $transKey = 'intercept';
229. % }
230. % my $sslBumpOptions = '';
231. % if ($https) {
232. % $sslBumpOptions = 'ssl-bump cert=/etc/squid3/self_signed_cert.pem key=/etc/squid3/self_signed_key.pem options=ALL';
233. % }
234. http_port <% $port %> <% $transKey%> <% $sslBumpOptions %>
235. # END_TAG #
236.  
237. visible_hostname (frontal)<% $hostfqdn %>
238. coredump_dir /var/spool/squid3
239. cache_effective_user proxy
240. cache_effective_group proxy
241. access_log /var/log/squid3/access.log squid
242. cache_log /var/log/squid3/cache.log
243. cache_store_log /var/log/squid3/store.log
244.  
245. pid_filename /var/run/squid3.pid
246.  
247. % if ($filter) {
248. cache_peer localhost parent 3129 0 no-query no-digest proxy-only login=*:nopassword
249. % } else {
250. cache_peer localhost parent 3130 0 no-query proxy-only login=*:nopassword
251. % }
252.  
253. % if ($realm) {
254. auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -i -s <% $principal %>@<% $realm %>
255. auth_param negotiate children 10
256. auth_param negotiate keep_alive on
257. % } else {
258. auth_param basic realm Zentyal HTTP proxy
259. auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -b ou=Users,<% $dn %> -u uid -p 390
260. % }
261. acl_uses_indirect_client on
262. acl authorized proxy_auth REQUIRED
263.  
264. % if ($https) {
265. acl SSL_ports port 443 # https, snews
266. acl SSL_ports port 873 # rsync
267. # ssl-bump options and alllow ssl ports
268. always_direct allow SSL_ports
269. ssl_bump allow SSL_ports
270. % }
271. acl from_localhost src 127.0.0.0/8 ::1
272. acl to_localhost dst 127.0.0.0/8 ::1
273.  
274. % foreach my $acl (@{ $filterProfiles{acls} }) {
275. % my ($declaration, $name, $params) = split '\s+', $acl, 3;
276. % $name = _aclName($name);
277. acl <% "$name $params" %>
278. % }
279.  
280. http_access allow to_localhost
281. follow_x_forwarded_for allow from_localhost
282. forwarded_for on
283. log_uses_indirect_client on
284. always_direct allow to_localhost
285.  
286. # force clients to use squid-external
287. never_direct allow all
288.  
289. % if ($authModeExternalAD) {
290. ##
291. ## Authorization
292. ##
293. external_acl_type InetGroup ipv4 children=5 ttl=<% $adAclTTL %> %LOGIN /usr/share/zentyal-squid/squid_ldap_group_sid.pl \
294. --strip-realm \
295. --host "<% $adDC %>" \
296. --keytab /etc/squid3/HTTP.keytab \
297. --principal <% $adPrincipal %>
298. % }
299.  
300. ##
301. ## ACLs from model rules
302. ##
303. % _rulesACLs(rules => \@rules, realm => $realm );
304. ##
305. ## Access
306. ##
307. <& .rulesAccess, rules => \@rules, profilesRulesStubs => $filterProfiles{rulesStubs} &>
308.  
309. ##
310. ## Default policy
311. ##
312. # All acces denied by default if no other allow rule matchs
313. http_access deny all
314. # reply access allowed if not denied before
315. http_reply_access allow all